fix: [#28] update nginx templates to resolve HTTP/2 deprecation warnings

josecelano · josecelano · commit cd0e5e52a2af · 2025-08-06T09:56:55.000+01:00
- Update deprecated 'listen 443 ssl http2' syntax to 'listen 443 ssl' + 'http2 on'
- Remove commented HTTPS configuration from nginx.conf.tpl (moved to nginx-https-extension.conf.tpl)
- Clean up TODO comments about variable escaping (now properly resolved)
- Maintain separation of HTTP (nginx.conf.tpl) and HTTPS (nginx-https-extension.conf.tpl) configurations
- Fix all nginx variable escaping using DOLLAR environment variable
diff --git a/infrastructure/config/templates/application/nginx/nginx-https-extension.conf.tpl b/infrastructure/config/templates/application/nginx/nginx-https-extension.conf.tpl
@@ -15,8 +15,9 @@ upstream grafana {
 
 # HTTPS server for tracker subdomain
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
     server_name ${TRACKER_DOMAIN};
 
     server_tokens off;
@@ -84,8 +85,9 @@ server {
 
 # HTTPS server for grafana subdomain
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
     server_name ${GRAFANA_DOMAIN};
 
     server_tokens off;
diff --git a/infrastructure/config/templates/application/nginx/nginx-https-selfsigned.conf.tpl b/infrastructure/config/templates/application/nginx/nginx-https-selfsigned.conf.tpl
@@ -15,8 +15,9 @@ upstream grafana {
 
 # HTTPS server for tracker subdomain
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
     server_name ${TRACKER_DOMAIN};
 
     server_tokens off;
@@ -73,8 +74,9 @@ server {
 
 # HTTPS server for grafana subdomain
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
     server_name ${GRAFANA_DOMAIN};
 
     server_tokens off;
diff --git a/infrastructure/config/templates/application/nginx/nginx.conf.tpl b/infrastructure/config/templates/application/nginx/nginx.conf.tpl
@@ -5,13 +5,6 @@
 # - Nginx variables (like $proxy_add_x_forwarded_for, $host, $http_upgrade) must be escaped
 # - Use ${DOLLAR} environment variable to represent literal $ in nginx config
 # - Example: ${DOLLAR}proxy_add_x_forwarded_for becomes $proxy_add_x_forwarded_for
-#
-# TODO: Fix the commented HTTPS configuration section below
-# - The HTTPS configuration has inconsistent variable escaping
-# - Some nginx variables use literal $ (incorrect) while others should use ${DOLLAR}
-# - Line 117: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; (needs ${DOLLAR})
-# - Lines with $host, $http_upgrade, $connection_upgrade also need escaping
-# - SSL certificate paths and other static values are correct as-is
 
 server
 {
@@ -63,125 +56,3 @@ server
             root /var/www/html;
     }
 }
-
-#server
-#{
-#    listen 443 ssl http2;
-#    listen [::]:443 ssl http2;
-#    server_name tracker.torrust-demo.com;
-#
-#    server_tokens off;
-#
-#    ssl_certificate /etc/letsencrypt/live/tracker.torrust-demo.com/fullchain.pem;
-#    ssl_certificate_key /etc/letsencrypt/live/tracker.torrust-demo.com/privkey.pem;
-#
-#    ssl_buffer_size 8k;
-#
-#    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
-#
-#    ssl_protocols TLSv1.2;
-#    ssl_prefer_server_ciphers on;
-#
-#    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
-#
-#    ssl_ecdh_curve secp384r1;
-#    ssl_session_tickets off;
-#
-#    ssl_stapling on;
-#    ssl_stapling_verify on;
-#    resolver 8.8.8.8;
-#
-#    location /api/
-#    {
-#        try_files $uri @tracker-api;
-#    }
-#
-#    location /
-#    {
-#        try_files $uri @tracker-http;
-#    }
-#
-#    location @tracker-api
-#    {
-#        proxy_pass http://tracker:1212;
-#        add_header X-Frame-Options "SAMEORIGIN" always;
-#        add_header X-XSS-Protection "1; mode=block" always;
-#        add_header X-Content-Type-Options "nosniff" always;
-#        add_header Referrer-Policy "no-referrer-when-downgrade" always;
-#        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-#        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-#        # enable strict transport security only if you understand the implications
-#    }
-#
-#    location @tracker-http
-#    {
-#        proxy_pass http://tracker:7070;
-#        add_header X-Frame-Options "SAMEORIGIN" always;
-#        add_header X-XSS-Protection "1; mode=block" always;
-#        add_header X-Content-Type-Options "nosniff" always;
-#        add_header Referrer-Policy "no-referrer-when-downgrade" always;
-#        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-#        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-#        # enable strict transport security only if you understand the implications
-#
-#    proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
-#    }
-#
-#    root /var/www/html;
-#    index index.html index.htm index.nginx-debian.html;
-#}
-
-## This is required to proxy Grafana Live WebSocket connections.
-#map $http_upgrade $connection_upgrade {
-#  default upgrade;
-#  '' close;
-#}
-#
-#upstream grafana {
-#  server grafana:3000;
-#}
-#
-#server
-#{
-#        listen 443 ssl http2;
-#        listen [::]:443 ssl http2;
-#        server_name grafana.torrust-demo.com;
-#
-#        server_tokens off;
-#
-#        ssl_certificate /etc/letsencrypt/live/grafana.torrust-demo.com/fullchain.pem;
-#        ssl_certificate_key /etc/letsencrypt/live/grafana.torrust-demo.com/privkey.pem;
-#
-#        ssl_buffer_size 8k;
-#
-#        ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
-#
-#        ssl_protocols TLSv1.2;
-#        ssl_prefer_server_ciphers on;
-#
-#        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
-#
-#        ssl_ecdh_curve secp384r1;
-#        ssl_session_tickets off;
-#
-#        ssl_stapling on;
-#        ssl_stapling_verify on;
-#        resolver 8.8.8.8;
-#
-#        location / {
-#                proxy_set_header Host $host;
-#                proxy_pass http://grafana;
-#        }
-#
-#        # Proxy Grafana Live WebSocket connections.
-#        location /api/live/ {
-#                proxy_http_version 1.1;
-#                proxy_set_header Upgrade $http_upgrade;
-#                proxy_set_header Connection $connection_upgrade;
-#                proxy_set_header Host $host;
-#                proxy_pass http://grafana;
-#        }
-#
-#        root /var/www/html;
-#        index index.html index.htm index.nginx-debian.html;
-#}
diff --git a/infrastructure/scripts/provision-infrastructure.sh b/infrastructure/scripts/provision-infrastructure.sh
@@ -232,7 +232,7 @@ provision_infrastructure() {
 
 # Main execution
 main() {
-    log_info "Starting infrastructure provisioning (Twelve-Factor Build Stage)"
+    log_info "Starting infrastructure provisioning"
     log_info "Environment Type: ${ENVIRONMENT_TYPE}"
     
     # Load environment configuration
@@ -259,7 +259,7 @@ main() {
 # Show help
 show_help() {
     cat <<EOF
-Infrastructure Provisioning Script (Twelve-Factor Build Stage)
+Infrastructure Provisioning Script
 
 Usage: ENVIRONMENT_TYPE=<type> ENVIRONMENT_FILE=<file> $0 [ACTION]
 
diff --git a/tests/test-e2e.sh b/tests/test-e2e.sh
@@ -92,6 +92,24 @@ test_infrastructure_provisioning() {
         log_info "No existing infrastructure to clean up"
     fi
 
+    # Generate E2E environment configuration (ensures latest templates are used)
+    log_info "Generating E2E environment configuration..."
+    local config_file="infrastructure/config/environments/${ENVIRONMENT_FILE}.env"
+    
+    # Remove existing configuration file to ensure we use latest templates
+    if [ -f "${config_file}" ]; then
+        log_info "Removing existing configuration file: ${config_file}"
+        rm -f "${config_file}"
+    fi
+    
+    # Generate fresh configuration from templates
+    if ! make infra-config ENVIRONMENT_TYPE="${ENVIRONMENT_TYPE}" PROVIDER="libvirt"; then
+        log_error "Failed to generate E2E environment configuration"
+        return 1
+    fi
+    
+    log_success "E2E environment configuration generated: ${config_file}"
+
     # Initialize infrastructure (Step 2.1 from guide)
     log_info "Initializing infrastructure..."
     if ! make infra-init ENVIRONMENT_TYPE="${ENVIRONMENT_TYPE}" ENVIRONMENT_FILE="${ENVIRONMENT_FILE}"; then
